Privacy Policy

What Personal Information We Collect and Why

We gather personal information based on the directives of our clients. For detailed specifics about the types of information being collected about you, please communicate directly with the organization requesting these services.

Most commonly, organizations use our services for purposes related to recruitment and employment. Thus, when this notice mentions "our client" or "your potential employer," it typically refers to such organizations.

What Personal Information We Collect and Why

We share your personal information with:

The client who requested it.

For further information on data sharing, refer to sections 4 and 6.

What We Don’t Do With Your Personal Information

We do not sell or disclose your personal information to governments, marketing or advertising services, other clients, or any unrelated third parties, except as described in this statement or when legally required.

Privacy Mission Statement

InstatData Limited and it’s brand “Thistle Finder” is devoted to upholding privacy rights. We maintain stringent legal and ethical compliance standards. As privacy advocates in the HR technology sector, we cherish the trust our clients, employees, and partners place in us. We integrate privacy protection into all our operations and adhere to the six data protection principles mandated by Article 5 of the GDPR.

Disclosure of Personal Information

We handle personal information in New Zealand, sourced from individuals worldwide, and may transfer it internationally. More details about cross-border data transfers can be found in section 7, “Do We Transfer Personal Information Between Countries?”

1. Scope of Our Work

This document applies to personal information collection and processing conducted by Thistle Finder as part of service delivery to clients. Personal information refers to data identifying an individual.

2. Legal Basis for Processing

When we conduct vetting and monitoring services for clients, Thistle Finder functions as a data processor under client instructions. The client, acting as the data controller, determines the legal basis for data processing. Thistle Finder relies on this basis to process personal data.

To know the specific legal grounds used, please review the privacy notice of the client who requested your vetting/ monitoring.

Clients may rely on various legal bases, including:

Compliance with legal obligations
Performance of a contract
Legitimate interest
Public interest
Vital interest
Consent

For concerns about withholding data or withdrawing consent, contact the client directly.

3. Collection Methods and Purposes

We obtain personal information through several means:

Communication via phone, email, mail, or fax
Social media interactions
Information received from our clients
Data sourced from third parties

Service Provision

We collect information to provide the following services:

Background checks for employment, volunteering, education, or licensure
Onboarding and document validation
Due diligence for investments, acquisitions, or business partnerships

The client typically determines the nature of data collection and processing. Thistle Finder is responsible for executing these processes as instructed and safeguarding data accordingly.

Security Monitoring

We gather data about your activity on secure platforms through cookies to protect system integrity. Information collected includes IP addresses, session details, and access logs. This supports auditing and security investigations.

4. Types of Personal Information Collected

Below are types of data collected from or on behalf of clients, their purposes, and sources:

Type of Information : Purpose : Sources

Names (current/former) : Identification : You or our client

Age : Identification :You or our client

Hometown : Identification : You or our client

Media Information : Background assessment : Internet searches, social media

Public Records : Information sourcing :Government and public records

Secure Platform Logs

We log IP addresses, location data, login credentials, session durations, browser types, and access/modification activities.

5. Use of Cookies

Cookies facilitate efficient website navigation. Types of cookies include:

Session Cookies: Temporary and deleted after browser closure
Persistent Cookies: Stored long-term on your device
First-party Cookies: Set by the website owner
Third-party Cookies: Set by external services

Our platforms may use first-party cookies but avoid third-party ones.

Purposes

Strict Necessity: Essential for site functionality
Performance: Analyzing site usage
Functionality: Customizing user experience

6. Information Sharing

Client Communication

We provide personal information to clients as instructed via secure platforms or other means like phone or mail.

Service Providers

We engage third-party providers for tasks such as data storage, IT support, translation, and audits. These entities receive only the information necessary for their roles.

Exceptional Situations

We may disclose personal information to law enforcement or public bodies when legally mandated.

7. International Transfers

Personal information may be transferred internationally, including outside the EU or Switzerland, under legal safeguards such as:

Adequacy decisions
Approved codes of conduct
Certification mechanisms
Contractual requirements

8. Ensuring Accuracy

We strive to maintain accurate data through automated processes and audits. Clients should be contacted for data correction concerns.

9. Automated Decision-Making and Profiling

Thistle Finder does not independently make decisions or profile individuals but may conduct automated processing under client directives.

10. Research Practices

We do not use personal information for research purposes. Historical, anonymized data may be analysed.

11. Data Retention

We retain data as directed by clients or to meet legal obligations. Contact your potential employer for specific retention details.

12. Security Measures

Thistle Finder employs robust security practices, including:

Firewalls and encryption
Secure data centers
Virtual desktop interfaces for staff
Controlled physical access to offices

Our employees undergo security and privacy training, and only those needing access are granted it.

13. Accessing, Correcting, Deleting, or Transferring Information

You may request access to your data, corrections, or data transfer if Thistle Finder is the controller. Queries can cover:

Data possession and sources
Use and disclosures
Storage locations
Retention periods
Safeguards for international transfers

If Thistle Finder acts as a processor, contact your potential employer for assistance.

14. Handling Complaints

To raise concerns about our handling of personal information, contact us directly. We aim to address complaints promptly and transparently.

15. Contact Information

For inquiries, contact Thistle Finder using the details provided in this statement.

16. Glossary

Key terms used in this document are defined for clarity.

Anonymised means that sufficient information has been removed from personal information so that it can no longer be associated with an identifiable individual.

Client means an organisation that contracts with us to perform services.

Due diligence means a comprehensive appraisal of a business by a prospective customer, supplier or investor, especially to establish its assets and liabilities and evaluate its commercial potential.

Individual, subject or you means the individual that the personal information is about.

Personal information means information about an identifiable individual.

Processing, handling or use means anything we do with personal information.

Services means the human resources technology services we provide to our clients, including vetting.

Service provider means a company engaged to process personal information on another company's behalf.

Source means an organisation holding records on you that we are collecting.

Third party means a person or organisation that is neither you nor us.